Theo Moye | Photographer

Privacy Policy


Introduction


I take your privacy seriously. Where I am provided with information that identifies you or another person it will only be used in accordance with this privacy policy and the requirements of the General Data Protection Regulation (GDPR).


1. Contact details:


Online: https://www.theomoye.co.uk/contact


2. What information I collect, use, and why:


I collect or use the following information to provide services and goods, including delivery:

I collect or use the following information for the operation of customer accounts and guarantees:

I collect or use the following information to comply with legal requirements:

I collect or use the following personal information for dealing with queries, complaints or claims:


3. Lawful bases and data protection rights


Under UK data protection law, I must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. Which lawful basis I rely on may affect your data protection rights which are set out in brief below.

If you make a request, I must respond to you without undue delay and in any event within one month.
To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.


4. Our lawful bases for the collection and use of your data


Our lawful bases for collecting or using personal information to provide services and goods are:

My lawful bases for collecting or using personal information for the operation of customer accounts and guarantees are:

My lawful bases for collecting or using personal information for legal requirements are:

My lawful bases for collecting or using personal information for dealing with queries, complaints or claims are:


5. How long I keep information


I will retain your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. I will retain and use your Personal Data to the extent necessary to comply with my legal obligations (for example, if I am required to retain your data to comply with applicable laws), resolve disputes, and enforce my legal agreements and policies.
For more information on how long I store your personal information or the criteria I use to determine this please contact me using the details provided above.


6. Sharing information outside the UK


Where necessary, I will transfer personal information outside of the UK. When doing so, I will take all steps reasonably necessary to comply with the UK GDPR, making sure appropriate safeguards are in place.


7. How to complain


If you have any concerns about my use of your personal information, you can make a data protection complaint to me: Online: https://www.theomoye.co.uk/contact


If you remain unhappy with how I’ve used your data after raising a complaint with me, you can also complain to the ICO.
The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
Website: https://www.ico.org.uk/make-a-complaint


Data Protection Complaints Policy


1. Purpose


This policy explains how Theo Moye handles data protection complaints fairly, promptly, and in line with UK data protection law, including the internal complaints process requirements introduced by the Data (Use and Access) Act 2025 and set out in DPA 2018, s.164A.


2. Scope


This policy applies where an individual complains that I have infringed data protection law in connection with their personal data (or personal data of someone they are authorised to act for).
It covers complaints received from customers, staff, suppliers, website users, and any other individuals whose personal data I process. The duty to operate a complaints process applies broadly and the Information Commissioner’s Office (ICO) states there are no exemptions.
Personal data (or personal information) means information that identifies or relates to an individual.
The ICO is the UK’s independent regulator for data protection and privacy. It provides guidance to organisations, investigates complaints, and has legal powers to take enforcement action where organisations do not comply with data protection law.


3. What is a “data protection complaint”?


A data protection complaint is any expression of dissatisfaction where the person considers I have breached data protection legislation in how I handled their personal information, and they do not need to use legal terms or cite legislation.

Examples include complaints about:


4. What is not a data protection complaint?


Sometimes people complain about service or other issues while also exercising data protection rights; the ICO explains that this doesn’t count as a data protection complaint (for example, a customer service complaint combined with a deletion request).
Where a complaint raises both data protection issues and other concerns I will treat it as a “mixed complaint”. I will handle the data protection aspects under this policy and ensure they are identified, recorded, and responded to separately and alongside any non-data protection issues.
If it is unclear whether the person intends to raise a data protection complaint, I will ask them to clarify.


5. How people can complain to me


I provide clear routes for individuals to complain directly to us, and I will accept complaints however they are received.
Preferred contact details:
Online form: https://www.theomoye.co.uk/contact

I invite use of the preferred method above, but people can complain via any channel (including via social media), and I must accept the complaint regardless.
Where a complaint comes in via social media, I will request an alternative contact method because social media is generally not a secure way to exchange personal information.


6. My legal duties


I will facilitate the making of complaints.
When I receive a data protection complaint, I will:

7. Making people aware of their right to complain


I will tell people that they can complain to me (and that they can also complain to the ICO) at the point I collect their personal information, for example in my privacy notice, using clear and plain language. I will also include information about this right when I respond to a subject access request.


8. Identity and authority checks


I will verify identity where necessary. If I have doubts about the complainant’s identity, I may ask for proof of ID and I will do this as early as possible; if I already have enough information to confirm identity, I will not request more.
If someone complains on behalf of another person, I must check they are authorised to act for that person (for example, by a signed letter of authority or appropriate power of attorney). If I do not have evidence of authority, I will not investigate until I receive it.


9. My process (step-by-step)



10. How to complain to the ICO


Individuals can complain to the ICO at any time. The ICO will, in most cases, ask individuals to raise their complaint with the organisation first, but the ICO remains available to handle eligible data protection complaints. ICO complaint information: https://ico.org.uk/make-a-complaint/data-protection-complaints/


11. Record keeping and retention


I will keep records to demonstrate compliance, including:

I will not retain personal information for longer than necessary.
I may also monitor themes and trends to identify recurring issues and improve compliance.


12. Children and vulnerable individuals


Children have the same rights as adults, but merit specific protection; if I receive a complaint from a child, I will use clear, plain language and assess competence to exercise rights.


13. Policy ownership and review


Policy owner: Theo Moye
Effective date: 19/06/2026
This policy may be updated at any time and without warning.